Esser vindicated by PHP bug project

Last month, Stefan Esser, an independent security consultant and a founder of both the Hardened-PHP Project and PHP Security Response Team (which he has since left), launched his Month of PHP Bugs as a way of improving the security of PHP by outing flaws in its source code.

Making himself a target for criticism through this undertaking (the PHP developer community is a spirited bunch), Esser was surprised at the positive feedback he received at the conclusion of the project. He speaks here with Howard Dahdah.

The Month of PHP Bugs (MOPB) uncovered 44 bugs. Is this good or bad?

Lets say 41 bugs, because three bugs were not in PHP and are a bonus. And no matter if one considers this good and bad, this is not the end. I know about more bugs that are still open.

And yes it is a good thing. Disclosure of vulnerabilities is always good, because this allows users to be aware of the problems, to protect themselves and it helps developers to learn about their mistakes and maybe teaches them to be a little bit more careful about this.

Looking at the email reactions I got, it seems the MOPB was great, because there was NOT A SINGLE bad email. All emails were in favour of the MOPB. To be honest I expected to get flooded with hundreds of angry emails.

How would you describe the outcome of this PHP bug project?

The outcome is that I proved that there is substance behind things I claim, which is quite uncommon in PHP security where most is just marketing talk. I have especially demonstrated that my claims that PHP developers reintroduce bugs or never fix them correctly or introduce new vulnerabilities with security fixes are valid.

What do you think you have achieved by bringing PHP bugs to the attention of the world?

I am not sure yet what I have achieved. Most people seem to do not understand what the MOPB really means and the wrong (and maybe malicious) reports in the media destroyed the goals of the MOPB partly.

For example, the media was reporting such nonsense that I got angry at the PHP developers, quit [PHP Security Response Team] and then as revenge reported security bugs in PHP.

The truth, however, is that I am responsible for the disclosure of most of the PHP security bugs disclosed during the last six years and that the MOPB was just the result of a concentrated audit. And actually the idea of a MOPB was announced in my blog before I quit the PHP Security team.

Additionally, the media was trying to downplay the MOPB in their reports with reports saying "it is not that bad, because the bugs were already fixed". Sorry, but these bugs were only fixed because I was nice enough to give them to the PHP developers in advance. Another nice claim in the media was that "most of them are only local vulnerabilities and therefore not dangerous". Well while many of them are indeed local vulnerabilities, most PHP installations are shared hostings. And for shared hosters local vulnerabilities are very dangerous, because they have to trust thousands of customers.

And what the media reporters also downplay is that many PHP applications are vulnerable and allow remote execution of PHP code. Without all those local vulnerabilities in PHP these remote PHP code execution vulnerabilities would be far less serious.

After a month of bug hunting, how would you describe the feedback you received from fellow PHP developers?

I have been doing bug hunting in PHP for years now. Only this time I collected the bugs and released them in a more dramatic way than I usually do. This kind of release is obviously needed, because in the media it sounds like I came out of the dark and suddenly started releasing PHP vulnerabilities. I have done this for years...

The PHP developers and many people in the PHP community were very, very quiet during the MOPB. The usual bloggers did not blog a single line about the MOPB. Actually, I am surprised, because I suspected that the PHP core developers would continue their attempts to discredit me. But they might have been too busy, because of all these PHP conferences.

What does this say about PHP in the enterprise. Should companies use PHP in their development environments?

Of course the Java (and Perl, Python, Ruby, ASP) fanatics will use the MOPB as argument against PHP in the enterprise. But the same people (at least the Java and ASP users) still use Microsoft or Oracle products, although both of them have far more reported vulnerabilities than PHP. I doubt any of the decision makers question that Microsoft and Oracle should be used in the enterprise. (Security researchers on the other hand might question this).

Will you do this again?

I don't know if there will be a "Return of the MOPB". But yes I will continue to uncover vulnerabilities in PHP and develop protections against those vulnerabilities.

I have been doing this for six years and I do not plan to stop. I still have more PHP vulnerabilities in my pocket.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.